# Investigate Flash Loan Txn

#### Summary

Flash Loan Transactions are a very common form of exploit that occur on the blockchain. Here we will investigate an actual on-chain incident where funds were stolen and moved to a rogue wallet. 

#### Blockscope Tools we will use

| Action                                                      | Tool Used                      |
| ----------------------------------------------------------- | ------------------------------ |
| Decode the initial Transaction                              | Blockscope Transaction Decoder |
| Trace the stolen funds                                      | Blockscope Token Tracer        |
| Check Wallet for balance                                    | Blockscope Wallet Profiler     |
| Find Associated Wallets                                     | Blockscope Wallet Profiler     |
| Set up real-time monitoring wallet holding the stolen funds | Blockscope Watchtower          |

#### Customers Types

The following customer types would be interested in conducting on-chain investigations similar to the one we are about to conduct.

* Institutions
* Government Agencies 
* Regulators
* Forensics Teams

#### Investigation

1\) Investigation Entry point, search blockchain transaction

<figure><img src="/files/dKHrIEuO2eLU1LxUBx6E" alt=""><figcaption></figcaption></figure>

2\) We can see, blockscope was able to decode most of the on-chain data

<figure><img src="/files/3LimUdDMZxSYbyc7koYe" alt=""><figcaption></figcaption></figure>

3\) Let's look at the top addresses, protocols and tokens involved in this transaction

<figure><img src="/files/O3DGN5BQ2IsHr3a5crXw" alt=""><figcaption></figcaption></figure>

4\) First red flag that goes off, seeing the Self Destruct function.

<figure><img src="/files/RRiMn7ByWuQyyPcHhLE1" alt=""><figcaption></figcaption></figure>

5\) We can see all the known(green) accounts and unknown(red/orange) accounts. This high level view tells us what protocols and tokens were used

<figure><img src="/files/mZddC7sn4NBiTdKHbHQx" alt=""><figcaption></figcaption></figure>

6\)  Filtering out the interactions to just show us transfers of ERC-20 and Native tokens lets us trace the stolen funds to 1 particular account. We can now focus on tracing the funds in and out of that account using the Tracer Tool

<figure><img src="/files/3xo3Dl6WyIrr13RJ9qvl" alt=""><figcaption></figcaption></figure>

7\) We can see the 65 eth that moved into this account and its subsequent movement to Kyberswap and another contract

<figure><img src="/files/wYs5KgdfPV9KL3zToYzA" alt=""><figcaption></figcaption></figure>

8\) Further analysis lets us see that this user is a repeat exploiter and has exploited and gained 962 ETH in the past, worth over 2M USD today

<figure><img src="/files/wQrUfcGNjy74jjvU1gGp" alt=""><figcaption></figcaption></figure>

9\) Using Wallet Profiler, we check the wallet’s holdings and see it still had the 2M worth of Ether

<figure><img src="/files/LdaRhWQ8njQZiydlp2ev" alt=""><figcaption></figcaption></figure>

10\) Looking at the very first transaction, the user supplied funds here via an account that used tornado cash on Feb 14, 2020. This was prob an attempt at keeping their identity hidden by using funds that went through tornado cash.

<figure><img src="/files/J4KujIR1wCZCuRl1SpIz" alt=""><figcaption></figcaption></figure>

11\) With a few clicks we’ve set up monitoring using Blockscope's Watchtower tool

<figure><img src="/files/tYX3MgCAQWzQ1ScHC82q" alt=""><figcaption></figcaption></figure>

12\) We will be notified in real-time for any new activity from this wallet.

<figure><img src="/files/S3erwt7MzTtvE3jLEvyR" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://research.blockscope.co/investigate-flash-loan-attack/investigate-flash-loan-txn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.